Public Key Cryptography and PGP Fundamentals

PGP stands for Pretty Good Privacy and actually provides perfect privacy. Used correctly, it can prevent the contents of your messages, texts, and even files from being read, even by well-budgeted government surveillance programs.

Unfortunately, PGP is not very good at being easy to understand or easy to use. The strong encryption (public-key encryption) that PGP uses is quite ingenious but challenging to grasp fully. PGP software has been around since 1991, making it as old as the first versions of Microsoft Windows, and it hasn’t changed much in appearance since then.

See Also: Encryption Key Management Essentials

The good news is that many programs are now available to mask this ancient PGP design and make it simpler to use, especially for encrypting and authenticating emails, which is PGP’s primary feature.

Before you start tampering with PGP and other programs that use it, it’s worth spending a few minutes understanding the basics of public-key encryption. Let’s answer questions such as what public-key encryption can do for you, what it cannot do, and when you should use it.

What is Public Key Encryption?

Traditional encryption systems use the same password or key to encrypt or decrypt a message. If you encrypt a file using the “redmonster” password, you need both the file and the “redmonster” password to decrypt this password.

See Also: What Are the PCI DSS Encryption Requirements

Two keys are used in public key encryption: one to encrypt and the other to decrypt. This working principle has many benefits. First, as long as you keep one of the keys secret, you can distribute the other key however you want so that others can talk to you securely. This key you distribute is called the “public key.” PGP for your emails and files, OTR for your instant messaging, and public-key encryption for encrypting SSL/TLS you use when surfing the internet.

What is Pretty Good Privacy (PGP)?

PGP, aka Pretty Good Privacy, is one of the most popular applications of public-key cryptography. Phil Zimmermann, the PGP creator, wrote the program in 1991 to protect communications for people in need. When Zimmermann’s use of the program crossed the US borders, it was formally reviewed by the American government. The export of tools that included strong public-key encryption was a violation of American law at the time.

PGP continues to exist as commercial software today. GnuPG, an original implementation of the basic standard used by PGP, also continues to exist. Since they both have a changeable approach, people may say that even when they use GnuPG, they use a “PGP key” or “PGP message.”

The Story of Two Keys

When we use encryption, here’s what we’re trying to do:

We receive a message that can be clearly read by everyone, such as “Hello daddy.” We encrypt this and turn it into a coded message that no one viewers can understand. We send this message on the internet hoping that many people will read it, but no one will. Then the message reaches its destination, and only our intended recipient has a way to decipher it and translate it into our original message.

How did our recipient know how to decode the message when no one else could? He needs to have some extra information that no one else knows. Let’s call it the decoding key because it can decode the code inside our message.

See Also: PCI DSS Requirement 4 Explained

How does our recipient know this key? Often the sender has already said the key. However, there is a weakness in this method. If you are afraid that someone will listen to you while sending a coded message, how do you make sure that someone is not listening to your conversation when you want to send this key?

If the attacker knows how to decode your message, there will be no point in sending a resourcefully encrypted message. If you have a secret to send the decoding keys, why would you need another way for all your secret messages?

Public key cryptography has an exquisite solution to this. Everyone involved in the conversation has a way to generate two keys. One of them is the secret key; they keep it to themselves and never give it to anyone else.

The other is the public key, which they give to anyone who wants to communicate with them. It doesn’t matter who sees your public key. You can even put it online for everyone to see if you wish.

The “keys” are actually very large numbers that have specific mathematical properties. The public key and the private key are linked. If you encrypt something using a public key, someone else can decode it with its equivalent secret key.

Let’s see how this can work. You wanted to send a secret message to Bob. Bob owns a private key, and as a good user of public-key cryptography, he also put his linked public key on his website. You download the public key, encrypt your message using it, and send it to it. It can decode the message because it has the secret key attached, and no one but it can decrypt the message.

Since the person to whom you want to send a message already has the decryption key, public key cryptography saves you the trouble of moving it on. All you have to do is get the encoding key, which the buyer can give to anyone, including agents because this key is only for message encoding and is of no use to decode a message.

See Also: What You Need to Know About Encrypted Communication

If you encode a message with a specific public key, only the matching secret key can decrypt it. However, the opposite is also true. If you encrypt a message with a specific secret key, that message can only be decrypted with the matching public key.

Well, what could it do? At first glance, you might think it wouldn’t be an advantage to write a secret message with your secret key that anyone in the world can crack. But imagine, I’m writing a message saying, “I promise to pay Bob $ 100” and convert it into an encrypted message with my secret key.

Anyone can crack the message’s code, but only one person could have written this message: the person who owns my secret key. If I did a good job of keeping my private key safe, that person could only be me.

In fact, by encoding it with my secret key, I assured that the message could definitely come from me. In other words, I signed a message in the digital world, as I did in the real world.

See Also: Email Security Best Practices

The signing also protects messages from tampering. If someone wants to change the message “I promise to pay Bob $ 100” to “I promise to pay $ 100 to Alice”, they will not be able to re-sign the message with your private key. Therefore, a signed message guarantees that it comes from a specific source and is not changed on the way.

You can send encrypted messages to someone whose public key you know using public key cryptography. Others who have access to your public key will send you encrypted messages that only you can decode.

If your public key is established, you can sign your messages to ensure recipients that they are coming from you alone. You can decrypt messages signed by someone else and check that they are from that person alone if you know their public key.

It is also obvious that you must keep your private key in a secure location. If someone gets a copy of your private key, they can impersonate you and sign messages as if you wrote them. PGP can “revoke” a secret key and warn people that it is no longer trusted, but this is not a very good solution. The most critical part of using public-key cryptography systems is to protect your private key very carefully.

How Pretty Good Privacy (PGP) Works?

Pretty Good Privacy is mainly concerned with the small details of creating and using public and private keys. With it, you can create public/private key pairs, protect your secret key with a password, and encrypt and sign text using it and your public key.

You can also download other people’s public keys and upload your own to “public key servers,” which are repositories where others can find them.

You may have noticed a potential flaw in the way public key cryptography works. Let’s imagine I created a key that said it belonged to Bill Gates and started distributing it. If people believe me, he can use the key to start sending secret messages to Bill. Or they may think that everything signed with this key is a sworn statement Bill made. This is very rare but has been seen to happen in real life.

Another sneaky attack that attackers can take is to enter between two people speaking online, eavesdropping on all their conversations, and occasionally leaking their own false messages into the conversation.

See Also: Securing Card Data in Transit: PCI DSS Requirement 4

Such an attack is quite possible, thanks to the internet’s design that circulates messages over many different computers and private individuals. Under these circumstances (“man-in-the-middle attack”), it becomes highly risky to perform a key exchange from a contract in advance.

Someone you think is Bill Gates says, “Here is my key,” and sends you a public key file. But how can we be sure that someone did not wait until then and spoil the communication just as the key file arrives, instead of leaking their own key to the conversation?

See Also: PCI Compliance and Email Security

How can we prove that a key belongs to a specific person? One way is to get the key directly from that person, but this is no different than our problem of getting a secret key unknowingly to someone we’ve had in the first place.

PGP offers a slightly improved solution called “web of trust.” I can sign a key and upload it to public key servers with my signature if I believe it belongs to a specific individual in the trusted network. These key servers also send signed keys to those asking for that key.

Simply put, the more people who have signed a key, the more likely I am to believe it belongs to the individual named on it. PGP allows you to sign others’ keys and also to trust other signatories, so if they sign a key, your software will automatically count that key as trusted.

The trust network poses many challenges, and organizations such as the EFF continue their research to find better solutions to this problem. But for now, if you are looking for an alternative to one-to-one turnkey, the best solution would be to use the trusted network and public key servers.

What Can’t Pretty Good Privacy (PGP) Do?

PGP is all about making sure your messages are confidential, authentic, and untouched. However, this may not be the only privacy issue you have. As we mentioned earlier, information about your messages can reveal many things, such as their content.

PGP does nothing to hide who you are talking to or using PGP while talking to you. If your public key is uploaded to key servers and you sign others’ keys, you are actively announcing to the world which key is yours and who you know.

You can only give your PGP public key to people you trust and tell them never to upload it to public key servers. You don’t have to add your name to your key either.

Hiding that you are communicating with a particular person is more complicated. One approach is for all parties to use anonymous email addresses and then use Tor to log in to them. If you do, PGP will continue to be useful by keeping your email messages private from others and ensuring that each other’s messages are not tampered with.

Surkay Baykarahttp://www.pcidssguide.com
A passionate Senior Information Security Consultant working at Biznet. Over the past 15+ years my professional career has included several positions beginning as a developer and IT administrator, working my way up to a senior Technical Performance Consultant before joining Biznet back in 2015. I had several different roles at Biznet, including Penetration Tester and PCI DSS QSA. In my job as a QSA, I found my passion and worked closely with the Audit and Compliance team. I've been working inside InfoSec for over 15 years, coming from a highly technical background. I have earned several certifications during my professional career including; CEH, CISA, CISSP, and PCI QSA.

More from author

Point of Sale (POS) Security Issues

POS related data breaches and security issues in recent years indicate that POS systems are vulnerable and may be at risk from attacks.

Point of Sale (POS) Security Checklist

Merchants are responsible for ensuring that their respective payment systems and infrastructures are secure.

What are the Acceptable Formats for Truncation of PAN

The industry practice is to eliminate the middle six digits, but the standards for each major card brand range slightly. Organizations seeking flexibility in this area should review the individual requirements for each card brand.

Related posts

Latest posts

Point of Sale (POS) Security Issues

POS related data breaches and security issues in recent years indicate that POS systems are vulnerable and may be at risk from attacks.

Point of Sale (POS) Security Checklist

Merchants are responsible for ensuring that their respective payment systems and infrastructures are secure.

What are the Acceptable Formats for Truncation of PAN

The industry practice is to eliminate the middle six digits, but the standards for each major card brand range slightly. Organizations seeking flexibility in this area should review the individual requirements for each card brand.

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!